When It Comes to Medical Images, Replication Is Not Protection

Posted 07/26/2018 by Jesse Eichhorn

For years, replication of medical imaging data has been the common practice employed by healthcare organizations to ensure that the images were available in the wake of a data loss event. In fact, this practice is still the most widely implemented strategy for protecting images today. However, we now live in a post-WannaCry world where healthcare data remains under attack from a constantly evolving ransomware threat. In fact, in the U.S., the number of patient records breached as a result of hacking incidents through the first half of 2018 has increased 56 percent from the same period last year (resulting from an increase of two reported hacking incidents).

In light of this sustained threat, data replication alone is no longer sufficient to protect medical images and related patient data. Medical imaging data should be afforded the same level of protection, with a proper backup and recovery solution, which is already applied to the sensitive patient data contained within the EHR.

First, let’s look at replication and its drawbacks. Simply put, replication is a type of data mirroring that copies – or replicates – the imaging data to a secondary location once it is written to the PACS archive. If the archive fails, the PACS would point to replicated environment as soon as possible. Replication will allow the organization to meet SLAs, and does provide a degree of business continuity and protection. However, replication is often an all-or-nothing affair, so if the archive is infected with ransomware or otherwise corrupted or locked, that anomaly may be copied over to the replicated environment – potentially compromising both instances of the PACS data.

To properly compare replication to a more mature backup and recovery function, it is important to first recognize the importance of medical imaging data to the delivery of value-based care and application of diagnostic advances in the areas of AI and machine learning. Simply put, embracing the sentiment of "we can just take another image if we can’t access the previous image" flies in the face of the industry push toward low-cost, high-quality patient care. And as technologies like AI are employed to “learn” how to support more accurate diagnoses from historical data, the loss of that archived data can be a significant setback. In both of these cases, imaging data loss as a result of an inadequate data protection strategy is detrimental to the organization as a whole.

Secondly, it is important to address the issue of cost. Approximately 630 million imaging procedures occur annually in the U.S., and each procedure generates a significant amount of data. Historically, the main argument against backing up imaging data was cost; it takes a lot of tapes to back up what amounts to more than half of the data managed by the typical healthcare provider! Thankfully, the cloud has come to the rescue. According to Nadim Michel Daher, principal health IT at Frost & Sullivan, “Imaging archiving, distribution, diagnosis and analytics are the specific core application areas for  cloud use”, and that the cloud-based imaging informatics market is expected to experience a compound annual growth rate of 23.8 percent through 2021. The cloud offers the scalability, economics and simplicity the industry has needed to advance beyond replication for medical images, and with native integration to leading cloud providers Azure and AWS, Commvault can offer the power of the cloud as a seamless extension of its data platform.

Lastly, how should one define “properly protected medical imaging data?" As we recently saw with the decision by the Office of Civil Rights regarding a dispute over $4.3 million in HIPAA fines issued to MD Anderson Cancer Center, data encryption has essentially been mandated when it comes to protecting data. There’s no reason to believe that medical images and related data are exempt from this requirement. Commvault provides the ability to encrypt data both for transmission over non-secure networks (in transit) and for storage on media (at rest), offering the highest level of encryption of 256-bit AES in order to provide enterprise grade security. Commvault has validated its crypto-library with NIST and is FIPS140-2 certified.

Beyond encryption and native cloud integration discussed above, Commvault offers other compelling features that not only offer value beyond a typical backup and recovery solution. They are features healthcare organization should consider necessary to support a forward-thinking data management strategy:

  • The ability to manage all data from across the enterprise – including imaging data – through a unified, single view

  • Ransomware detection driven by AI within the Commvault platform, which detects and identifies anomalies to help organizations minimize the damage and recover quickly from an incident

  • A converged backup and archiving process that optimizes storage costs and simplifies overall data management

Medical images are extremely valuable in many ways; they are a target for cyber criminals to exploit for financial gain, contain information that can help drive healthcare costs down while improving patient outcomes, and potentially contain medical insights that the industry is actively working to excavate and unlock through the use of new technologies. It is time for the industry to protect these images in a way that is commensurate with their value.

Jesse Eichhorn is the Principal Product Marketing Manager for Healthcare at Commvault. With more than 15 years of experience at the intersection of healthcare and IT, Jesse has helped create more meaningful partnerships between leading healthcare IT companies, their solutions and the provider community.